PHP Security Breach
Del.icio.us
Digg
Google
Spurl
Blink
Furl
Y! MyWeb
Share:
Sponsors:
I urge all our users to make the following change to viewtopic.php as a matter of urgency. Open viewtopic.php in any text editor. Find the following section of code:
//
// Was a highlight request part of the URI?
//
$highlight_match = $highlight = '';
if (isset($HTTP_GET_VARS['highlight']))
{
// Split words and phrases
$words = explode(' ', trim(htmlspecialchars(urldecode($HTTP_GET_VARS['highlight']))));
for($i = 0; $i < sizeof($words); $i++)
{
and replace with:
//
// Was a highlight request part of the URI?
//
$highlight_match = $highlight = '';
if (isset($HTTP_GET_VARS['highlight']))
{
// Split words and phrases
$words = explode(' ', trim(htmlspecialchars($HTTP_GET_VARS['highlight'])));
for($i = 0; $i < sizeof($words); $i++)
{
Note: Please inform as many people as possible about this issue. If you're a hosting provider please inform your customers if possible. Else we advise you implement some level of additional security if you run ensim or have PHP running cgi under suexec, etc.
If your hosted by Codezhost... no worries we have suexec shutdown and nothing can be called from it.
Article submitted by: Telli
Last Update: 12-05-2004
Category: Security
//
// Was a highlight request part of the URI?
//
$highlight_match = $highlight = '';
if (isset($HTTP_GET_VARS['highlight']))
{
// Split words and phrases
$words = explode(' ', trim(htmlspecialchars(urldecode($HTTP_GET_VARS['highlight']))));
for($i = 0; $i < sizeof($words); $i++)
{
and replace with:
//
// Was a highlight request part of the URI?
//
$highlight_match = $highlight = '';
if (isset($HTTP_GET_VARS['highlight']))
{
// Split words and phrases
$words = explode(' ', trim(htmlspecialchars($HTTP_GET_VARS['highlight'])));
for($i = 0; $i < sizeof($words); $i++)
{
Note: Please inform as many people as possible about this issue. If you're a hosting provider please inform your customers if possible. Else we advise you implement some level of additional security if you run ensim or have PHP running cgi under suexec, etc.
If your hosted by Codezhost... no worries we have suexec shutdown and nothing can be called from it.
Article submitted by: Telli
Last Update: 12-05-2004
Category: Security
Current rating: 5.31 by 54 users
| Would you recommend this article to a friend? |
| Not a Chance | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | Absolutely |
Related News Stories
(9,407 reads) 07-05-2008
· Fusion Security(15,102 reads) 06-02-2007
· NukeSentinel(tm)2.5.10 Critical Update(13,856 reads) 05-07-2007
· NukeSentinel(tm) 2.5.08 Maintainance Release(15,330 reads) 03-15-2007
· NukeSentinel(tm) 2.5.07 Reissued: Critical Update(13,828 reads) 03-02-2007
· NukeSentinel(tm) 2.5.06: Critical Update(14,588 reads) 01-23-2007
· NukeSentinel(tm) 2.5.05 released(14,614 reads) 12-24-2006
· NukeSentinel 2.5.04 released(14,338 reads) 11-03-2006
· NukeSentinel(tm) 2.5.03 Released(18,177 reads) 10-19-2006
· Php Nuke 8.0 Patched(14,566 reads) 10-01-2006
· ipBan Modification
Please register or sign-in to post comments.